Potential Suspicious BPF Activity - Linux

Rule Info

Name
Potential Suspicious BPF Activity - Linux
Author
Red Canary (idea), Nasreddine Bencherchali
Description
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
Reference
https://redcanary.com/blog/ebpf-malware/
Date
2023-01-25 00:00:00
Modified
None
Id
0fadd880-6af3-4610-b1e5-008dc3a11b8a
Tags
attack.persistence attack.defense_evasion DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=0fadd880-6af3-4610-b1e5-008dc3a11b8a

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test`
2023-12-01
ae960f088
Nasreddine Bencherchali
fix: rule logic
2023-01-25
f42eb77f2
Nasreddine Bencherchali
fix: single element selection
2023-01-25
d47215d46
Nasreddine Bencherchali
feat: add bpf related rules
2023-01-25
7d2b70cb9
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022